Just wanted to catalogue the whole “Oblomov-gate” for posterity.
- “Showing The Oblomovs The Door” by Nick Selby, of 451 Group fame; read the comments too.
- “Personal Responsibility in Information Security” by Mike Dahn, of QSA training fame; read the comments too.
- “Two must read posts on PCI” by Martin McKeay, of security podcasting fame.
The great “audit/compliance” vs “security/risk” battle is made very explicit in this discussion. As “audit/compliance” side was “winning" more lately, with this post the “security/risk” side hits back (with a pillow?) and makes the weaknesses in the other side armor more apparent. BTW, I am sure that all the participants of this read the original Donn Parker piece “Making the Case for Replacing Risk-Based Security” [PDF] (if inaccessible, comments here and here), now, didn’t they?
BTW, if somebody will dare say “we need both”, you’d win the Captain Obvious award. But given that this discussion is about the driving or primary approach, such attempts at pacifying the participants will definitely result in F.A.I.L.
I will update as more people comment about it, as they undoubtfully will.
Possibly related posts: